Uber breachRidesharing service Uber has been through the ringer in recent years, and it doesn’t seem like things are going to slow down for it any time soon. From claims of a hostile working environment within its corporate ranks to instances of violence against both drivers and passengers worldwide, the company has been embattled for years as it has grown from a startup to a multi-million dollar corporation. Shortly after a new CEO took the helm this past August, he learned of a data breach in 2016 that had been completely covered up by Uber employees. This breach was brought to light on Nov. 21 in a disclosure published on Uber’s site written by the CEO, and within days several lawsuits had popped up related to the breach and the company’s failure to publicly disclose it in a timely manner. If you want to know whose information was exposed in the breach, why and how it was covered up and what’s being done now, stay on this page.

How did the breach occur?

Sometime in October 2016, two cybercriminals accessed data that was stored on a third-party, cloud-based service Uber used and downloaded a cache of information. The breach disclosure says that these malactors did not access any corporate systems or infrastructure, merely a third-party service, for which Uber says it has since implemented stricter access restriction and controls. Although the breach was caught early on and the cybercriminals in question were quickly identified, Uber did not notify regulatory authorities or potentially affected riders and drivers; instead, the company paid the hackers $100,000 in exchange for confirmation that the stolen data had been destroyed and kept quiet. Uber is far from the first company to cave to cyberattackers and pay up money in exchange for the return of sensitive data or access to hijacked systems — research shows that around 70% of businesses wind up paying — but it’s the fact that this was never disclosed to anyone outside of a select number of internal employees that has become the center of much controversy.

What information did the Uber breach expose?

According to information provided by Uber, the breach exposed data belonging to both users of its rideshare service as well as drivers. Information including names, emails and phone numbers for approximately 57 million riders worldwide was accessed, and around 600,000 drivers had their names and driver’s license numbers accessed. The company was quick to assure that it had discovered no evidence that any trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were downloaded by the hackers.

What is Uber doing now that the breach has been brought to light?

Uber has hired a former general counsel of the National Security Administration to help it restructure its security teams and processes, as well as a private cyberforensics firm, Mandiant, to investigate the issue. Several high-level employees, including two people who led the initial response in 2016, have been ousted from the company for their roles in the breach cover-up. Three more managers resigned on Dec. 1, amid the backlash from the breach controversy, as well as allegations stemming from ongoing testimony in a lawsuit against a company called Waymo. This testimony has indicated questionable data security practices, including the use of disappearing chat apps for internal communications among Uber employees.

Beyond the firing of involved employees and hiring of outside security professionals, Uber has been individually contacting drivers whose licenses were exposed and offering them free credit report monitoring and identity theft protection services. The 57 million rider accounts impacted are being monitored by Uber for potential suspicious activity, though it is unknown what the breakdown is yet as far as how many individuals in different countries were impacted.

Is the company going to face legal action?

As previously mentioned, multiple lawsuits have already been filed against Uber as a result of this data breach, including Washington state, California and even the city of Chicago, alleging that the company broke the law by concealing the breach and failing to notify those whose information was involved. New York’s attorney general has also launched an investigation, as have other states including Missouri and Massachusetts. Although some compensation might come the way of affected drivers and riders, the best case scenario for data breach victims across the board is that instances like this will further spur the federal government to recognize the need for some type of mandated notification laws, as well as regulations for how victims should be notified and compensated if their information is lost due to poor cybersecurity on a business’ behalf. Note that these lawsuits join a crowded collection of other suits against Uber, ranging from those related to its lax hiring processes, poor treatment of drivers and even a case alleging an Uber executive stole medical files from a sexual assault victim in India.

What can Uber riders and drivers do?

Unfortunately, this is unlikely to be the only data breach that has been swept under the rug — or the last — as for some companies it might seem like a smarter idea to keep things quiet than expose their security follies and wind up like Equifax. On top of that, many breaches aren’t discovered until months have passed, sometimes even years (as we saw with Yahoo), which means that there isn’t much anyone can do to protect themselves from specific threats other than practice smart cybersecurity and personal security habits. That said, since email addresses and cell phone numbers were exposed for riders, anyone concerned should be on the alert for potential phishing emails or text messages. Drivers, likewise, should be wary for signs that their license number is being used by someone other than them and report anything suspicious immediately. Driver’s license fraud is more common than you might think, though some states have sought to crack down on this type of identity theft using a number of tools to fight it. In the event that class-action lawsuits are brought against Uber as a result of this breach, you might or might not elect to participate (if you’re eligible).

Learn more about identity theft and how to protect yourself from its devastating effects by following our identity theft protection blog.